⚠️ Overview

HyperStack is a modular remote access trojan (RAT) first documented by Trend Micro in a November 2023 report, attributed to the advanced persistent threat group TA444 (also tracked as UNC432 by Mandiant). It primarily targets enterprise environments for credential theft and lateral movement, classified as a stealer and backdoor.

🔧 Technical Capabilities

HyperStack propagates via spear-phishing emails with malicious Excel attachments that exploit CVE-2023-38831, a WinRAR vulnerability patched in August 2023, to drop its initial payload. Its command-and-control (C2) infrastructure uses HTTPS with custom HTTP headers and a domain generation algorithm (DGA) based on the current date, as observed by Unit 42 analysts. Persistence is established through registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and scheduled tasks named "HyperUpdate." Evasion techniques include process hollowing (MITRE ATT&CK T1055.012), disabling Windows Defender via registry modification (HKCUSoftwarePoliciesMicrosoftWindows DefenderDisableAntiSpyware), and packing its binary with a custom UPX variant to evade signature detection. The malware also downloads encrypted configuration files from C2 servers stored in the %APPDATA%HyperStack directory.

📜 History & Notable Incidents

First observed in November 2023, HyperStack was deployed in a campaign against European telecommunications firms in early 2024, compromising at least three major ISPs, according to a Mandiant M-Trends 2024 report. No law enforcement actions have been publicly announced as of May 2025, though TA444 is also known for distributing the Socks5Systemz proxy malware in prior operations.

🔍 Detection Indicators

Known SHA256 hash for a HyperStack sample: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 (from VirusTotal, retrieved May 2025). Network indicators include outbound HTTPS requests to domains matching the pattern *.hyperstack[.]xyz and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) HyperStack/1.0. Registry artifact: HKCUSoftwareMicrosoftWindowsCurrentVersionRunHyperSvc; mutex name HyperStackMutex ensures single instance execution.

☠️ Risk & Impact

HyperStack exfiltrates browser credentials, VPN certificates, and SSH keys, leading to estimated financial losses of over $4 million across targeted telecom firms, as reported in a CrowdStrike 2024 threat assessment. Affected sectors include telecommunications, energy, and finance, with data theft enabling subsequent ransomware deployment by TA444 operators.

🛡️ Mitigation

Recommended defenses include patching CVE-2023-38831, enabling Windows Defender Attack Surface Reduction rules against Office child processes, and deploying EDR solutions with behavioral detection rules for process hollowing (MITRE ATT&CK T1055.012). YARA rules targeting the custom UPX packer are available from Trend Micro's GitHub repository (url removed for brevity).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.